Your boss brought you his iPhone and said "make it work!". And so with no budget and no thought to security, you did. Now that Traveler's up and running, there are a lot more unsecured end points on your network. Explore different options to secure Traveler in this presentation from Simplified Technology Solutions' Darren Duke.
Automating Google Workspace (GWS) & more with Apps Script
I Have a Traveler Server - Maybe I Should Secure It Some?
1. Oh yes, that Pentium 90 under your desk is running a
business critical app. Time to look at it.
Darren Duke – Technical Deus - STS – June 2013
2. About me
AKA my favorite slide
Started with “Lotus Notes” in R3
Yes, really….R3
Founder of STS based in Atlanta
Sometime blogger, ranting Tweeter, ex-
host of This Week In Lotus, Speaker,
Fixture at “Ask the PM’s”
I am obnoxious as obnoxiousness is
usually required to elicit answers from IBM
“Experience is the name one gives to their
mistakes” – Oscar Wilde
3. Traveler, like BES = top
down
Your CEO told your boss to make his
iPad work
Your boss told you to make the CEO’s,
and now also *his* as he needs one “for
support”, iPads work
You got no budget and an old desktop
server or VM and installed Traveler
After the first email, this server was
business critical
4. Now everyone has one
Once word was out…..
You became very popular
5. iOS Devices are for
“work”….
Hence the executives desire to get them
to work
But we all know the real reason…
6. Security Options
None. Erm….Whiskey Tango Foxtrot?
SSL on Domino
SSL on IHS in front of Domino (new in 9)
Reverse Proxy
IBM Mobile Connect
Certificate authentication**
You can always go back to BES ;)
7. Traveler is “free”
Only if you don’t secure it
How much did your org spend on BES?
Server, CALs, Devices, Support….
Why do you not treat your Traveler as
you did you BES?
Spend money and do it right and secure it
It’ll still come out cheaper than your BES did
8. A word about DNS and SSL
Whatever solution you choose to secure
your Traveler server….
Make sure DNS and protocol is the same
inside and out
my_traveler_server.mycomany.com
If you use SSL on the outside, you must use it
on the inside too
That means you may use more than one
solution
Outside LAN : IHS + SSL + Reverse Proxy
Inside LAN : IHS + SSL
9. None – aka the default
As the great Paul Mooney once said:
“Port 80 on Traveler is *very* unwise”
Your passwords (and everything else) is
going across the internet in clear text
But…..
it scales well - joke
Still, I would not do this on my servers. Ever.
Even the installer warns you this is a bad
idea
Free
Until you are hacked
10. SSL on Domino
Everything is secure if you did it right
Redirect all traffic from 80 to SSL (443) in the
server doc, ports
Self Signed SSL can be used
But cause issues on some (all?) Androids
You can get around this by side loading or
maybe the via the Google Play store now
Domino SSL scaling may cause issues
Domino still “surfaced” on the internet
Reasonably cheap
11. SSL on IHS in front of
Domino
New in 9.0, install IBM HTTP Server (IHS)
Installed as option with Domino, on same server
as Domino
Windows only for now, needs 9.0 IF1
○ PMR if you want other OSes to get this
Will handle SSL
Fixes Domino scaling with SSL
“Allows” Domino HTTP to do TLS
IHS now surface to the internet
Reasonably cheap
12. Reverse Proxy
A proxy (like Websphere Edge Server,
F5 or Apache) in the DMZ forwards
traffic to Traveler in the LAN/DMZ
Can also be done with IHS, not sure
about the licensing of that
Domino has no surface on the internet
Proxy can handle SSL
Can be cheap, or expensive
13. IBM Mobile Connect
IBM’s “headless VPN” solution
Think of it like a very secure reverse proxy
Can be used for iNotes, Connections
and Quickr too
Out of the box (mostly) support for
Traveler
No messy http.conf or domino.conf files
Maybe relatively cheap based on current
license you have
14. IBM Mobile Connect Licensing
If you have Domino Enterprise Server
licensing
Full PVU or CEO
NOT Express
You get the CAL for IMC as an entitlement
Will only need to license IMC PVUs
None enterprise
You’ll need clients and PVUs
15. All the previous slides were
server security
What about users?
Usually the weakest link
Options
Complex internet password
Internet Password Lockout
Certificate based authentication
16. Password Security
Your weakest link if you install Traveler
correctly
Complex passwords are good for you
Suck for your user
Password changes are difficult to do on
a device
There is a possible solution…
17. Go password-less
Certificate based authentication
Well, on iOS devices
Android is on the Traveler road map (PMR it)
Really a function of the Domino HTTP server
and the device
This is much easier with an MDM
Pushing certificates is easier with a MDM
You have to get the cert on the device
Make sure users have device
passwords!!!
18. Conclusion
You may decide to use multiple methods
Domino + IHS + IMC + Certificates
Yes, it can get complex
Yes, it can be very, very secure
Almost BES like, but not quite
You may want to evaluate MDM’s before
attempting a certificate roll out
Switching from non-SSL to SSL is “difficult”
A secure, HA Traveler platform can be
expensive to implement
But hey, so was BES
19. Q&A and links
http://blog.darrenduke.net
Mostly useful stuff, some rants
http://www.simplified-tech.com
No rants, Lisa won’t let me
https://twitter.com/darrenduke
Mostly rants, some useful stuff
http://geldreddotcom.files.wordpress.com/2013/05/choosing-a-
mdm-presentation.pdf
choosing an MDM
I like DesktopCentral for the record
Never allow Anonymous access to the Domino Directory…..ever. Never.